Mercurial > prosody-modules
view mod_register_dnsbl/mod_register_dnsbl.lua @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 23 Jul 2023 02:56:08 +0200 |
| parents | 82482e7e92cb |
| children |
line wrap: on
line source
local adns = require "net.adns"; local async = require "util.async"; local inet_pton = require "util.net".pton; local to_hex = require "util.hex".to; local rbl = module:get_option_string("registration_rbl"); local function reverse(ip, suffix) local n, err = inet_pton(ip); if not n then return n, err end if #n == 4 then local a,b,c,d = n:byte(1,4); return ("%d.%d.%d.%d.%s"):format(d,c,b,a, suffix); elseif #n == 16 then return to_hex(n):reverse():gsub("%x", "%1.") .. suffix; end end module:hook("user-registering", function (event) local session, ip = event.session, event.ip; local log = (session and session.log) or module._log; if not ip then log("debug", "Unable to check DNSBL when IP is unknown"); return; end local rbl_ip, err = reverse(ip, rbl); if not rbl_ip then log("debug", "Unable to check DNSBL for ip %s: %s", ip, err); return; end local wait, done = async.waiter(); adns.lookup(function (reply) if reply and reply[1] and reply[1].a then log("debug", "DNSBL response: %s IN A %s", rbl_ip, reply[1].a); log("info", "Blocking %s from registering %s (dnsbl hit)", ip, event.username); event.allowed = false; event.reason = "Blocked by DNSBL"; end done(); end, rbl_ip); wait(); end);